Jump to content

How create a HIPS rule for Winlogon?

Malaque
 Share
Go to solution Solved by Malaque,

Recommended Posts

Malaque

Malaque 3

Posted
Posted (edited)

  Hello. I'm still having some issues with Nod32, especially with logout session in user accounts of Windows 10

 

https://forum.eset.com/topic/7345-is-eset-crashing-my-windows-10/

 

I've enabled HIPS register and i've seen that the HIPS is blocking Winlogon process (selfdefense). I wonder how could I create a Rule exception for unblock Winlogon in HIPS module. 

 

 Thanks

Edited by Malaque
  • Administrators
Marcos

Marcos 5,736

Posted
  • Administrators
Posted

Please elaborate more on the issue. Are you unable to log out of a Windows session with Self-defense enabled?

  • Solution
Malaque

Malaque 3

Posted
  • Author
  • Solution
Posted (edited)

Randomly, not always, when i log out of an user session, Windows 10 crashes with this message:

hxxp://i.imgur.com/RpmXrJQ.jpg

In log HIPS, i've seen this event many times:

35]17/02/2016 15:41:03

35]C:\Windows\System32\svchost.exe

35]Obtener acceso a otra aplicación

35]C:\Windows\System32\winlogon.exe

35]acceso parcial bloqueado

35]Autodefensa: No permitir la modificación de procesos del sistema

35]Terminar/suspender otra aplicación

35]Now i set HIPS in Learning Mode and see if the crash back again. Maybe disabling Self-defense or creating a HIPs rule could help...

Edited by Malaque
Malaque

Malaque 3

Posted
  • Author
Posted

   Disabling Self-Defense... problemas gone. Thanks

mma64

mma64 7

Posted
Posted

 

[Malaque]   Disabling Self-Defense... problemas gone. Thanks

 

You shouldn't do this! Instead try it with a new HIPS rule, manually entered, see the screenshots (#4: you select 'winlogon.exe', of course). This way the 'winlogon.exe' crash (?) should go away. (In Win7 my HIPS log is full of the same entries as you have, but there's no crashing because of that. And there's no HIPS rule for 'winlogon.exe'. On the other hand I never log out and choose another user login: starting PC, restricted user login, PC shutdown, that's all...)

 

The pictured new HIPS rule should be 100% safe anyway, and don't forget to reenable ESET Self Defense! (But I doubt, that indeed ESET V9 in combination with Win10 has to be blamed for the described crash.)

 

Try it and report back. Thanks.

 

HTH

post-3617-0-95681000-1455749113_thumb.png

post-3617-0-59179000-1455749121_thumb.png

post-3617-0-76184600-1455749129_thumb.png

post-3617-0-83106500-1455749137_thumb.png

Malaque

Malaque 3

Posted
  • Author
Posted

 

 

[Malaque]   Disabling Self-Defense... problemas gone. Thanks

 

You shouldn't do this! Instead try it with a new HIPS rule, manually entered, see the screenshots (#4: you select 'winlogon.exe', of course). This way the 'winlogon.exe' crash (?) should go away. (In Win7 my HIPS log is full of the same entries as you have, but there's no crashing because of that. And there's no HIPS rule for 'winlogon.exe'. On the other hand I never log out and choose another user login: starting PC, restricted user login, PC shutdown, that's all...)

 

The pictured new HIPS rule should be 100% safe anyway, and don't forget to reenable ESET Self Defense! (But I doubt, that indeed ESET V9 in combination with Win10 has to be blamed for the described crash.)

 

Try it and report back. Thanks.

 

HTH

 

 

Thanks for your reply. Really i still create a rule, similar as yours, but problem back again. Even i delete one of the suspitious users accounts and create it again, but it not solves the issue. I'm not a patient man (i'm very busy), so finally i've uninstalled Nod32 in my desktop PC, and installed this license in my laptop (single user) and not problems. In my desktop PC i've installed KIS 2016 and it's running fine. Thanks again for your support.

Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...